Abstract.
Android, the most popular mobile OS, has around 78% of the mobile market share.
Due to its popularity, it attracts many malware attacks. In fact, people have
discovered around one million new malware samples per quarter, and it was
reported that over 98% of these new malware samples are in fact "derivatives"
(or variants) from existing malware families. In this paper, we first show that
runtime behaviors of malware's core functionalities are in fact similar within
a malware family. Hence, we propose a framework to combine "runtime behavior"
with "static structures" to detect malware variants. We present the design and
implementation of Monet, which has a client and a backend server module. The
client module is a lightweight, in-device app for behavior monitoring and
signature generation, and we realize this using two novel interception
techniques. The backend server is responsible for large scale malware
detection. We collect 3723 malware samples and top 500 benign apps to carry out
extensive experiments of detecting malware variants and defending against
malware transformation. Our experiments show that Monet can achieve around 99%
accuracy in detecting malware variants. Furthermore, it can defend against 10
different obfuscation and transformation techniques, while only incurs around
7% performance overhead and about 3% battery overhead. More importantly, Monet
will automatically alert users with intrusion details so to prevent further
malicious behaviors.